Thursday, November 27, 2014

ReGeneration (Regin) Targeted Attack

Nowadays every security bloggers is writing about how Regin (it should be read as Re-Gen, like regeneration), a new sofisticate targeted attacks discovered by Symantec (here), works and how it spied several thousands of PC mostly in Russia, Germany and Middle East. I wont write about its "hidden 6 stages" Malware or about its incredibly high number of payloads, I want to facalize my research on the initial vector, which happens to be undisclosed so far. Symantec believes that some targets may be tricked into visiting spoofed versions of well-known websites and the threat may be installed through a Web browser or by exploiting an application. Symantec asserted:

On one computer, log files showed that Regin originated from Yahoo! Instant Messenger through an unconfirmed exploit.

According to CVE (from here) the last exploit affecting Yahoo Messenger seen is almost 3 years old, isen't weird ? Yahoo Messenger is a well know piece of software and commonly used to communicate, it's quite weird that no security breaches came out in the past 3 years.. at least this is my personal opinion.. Who knows how many security flas are aflicting such a software...

The exact method of the initial compromise remains a mystery, although several theories exist, which include man-in-the-middle attacks with browser zero-day exploits. For some of the victims, we observed tools and modules designed for lateral movement. So far, we have not encountered any exploits. The replication modules are copied to remote computers by using Windows administrative shares and then executed.

Naturally it means the malware must be run through administrative priviledge... which makes me thinking about the real initial vector..

The reality is that no reproducible vector has been established as Symantec released its
findings, showing just how incredibly sophisticated this malware threat
is, with custom modules able to be deployed at will to change attack
vectors and go after targets with razor sharp accuracy. We might consider this Malware one of the most complex Malware ever released (for the tim being), even more complex than Duqu or Stuxnet.

Some pieces of code have been written in 2003, most of them are still encrypted and undisclosed.This is another scaring factor.If you don't believe me and you want to try your own analysis please feel free do download some samples of Regin malware from here (the password is: "infected"). If you have some troubles in finding the file feel free to drop me an email.